Apr 27th Update

nodes/orchestration/package/open-appsec-ctl.sh

@@ -48,6 +48,8 @@ NO_COLOR='\033[0m'
 pidof_cmd="pidof -x"
 is_alpine_release=
 
+var_last_policy_modification_time=0
+
 ls -l /etc/ | grep release > /dev/null 2>&1
 retval=$?
 
@@ -120,6 +122,14 @@ load_paths()
 
 load_paths
 
+AGENT_POLICY_PATH="${FILESYSTEM_PATH}/${cp_nano_conf_location}/policy.json"
+CUSTOM_POLICY_CONF_FILE="${FILESYSTEM_PATH}/${cp_nano_conf_location}/custom_policy.cfg"
+if [ -f ${CUSTOM_POLICY_CONF_FILE} ]; then
+    . $CUSTOM_POLICY_CONF_FILE
+else
+    var_policy_file="${FILESYSTEM_PATH}/${cp_nano_conf_location}/local_policy.yaml"
+fi
+
 is_arm32=
 if [ -n "$(uname -a | grep armv7l)" ]; then
     pidof_cmd="pidof"
@@ -144,7 +154,7 @@ lines_to_skip=$((PACKAGE_LIST_LINE_OFFSET))
 } <"${FILESYSTEM_PATH}/${CP_SCRIPTS_PATH}/${CP_NANO_PACKAGE_LIST_NAME}"
 
 is_valid_var_name() # Initials - ivvn
-{ 
+{
     ivvn_var_name=$1
     # Check that string $ivvn_var_name is a valid variable name
     # 	[[:alnum:]] - Alphanumeric [a-z A-Z 0-9]
@@ -949,14 +959,14 @@ run_status() # Initials - rs
         rs_temp_old_status=$(echo "$rs_orch_status" | sed -r "${rs_line_count},${rs_line_count}d; "' 1,1d; s/^\s*//g; s/^\n//g; s/\"//g; s/\\n/\n/g; s/\,//g')
     else
         rs_temp_old_status=$(sed 's/{//g' <${FILESYSTEM_PATH}/$cp_nano_conf_location/orchestration_status.json | sed 's/}//g' | sed 's/"//g' | sed 's/,//g' | sed -r '/^\s*$/d' | sed -r 's/^    //g')
-        rs_policy_load_time="$(cat /etc/cp/conf/orchestration_status.json | grep "Last policy update" | sed "s|\"||g" | sed "s|,||g")"
+        rs_policy_load_time="$(cat ${FILESYSTEM_PATH}/conf/orchestration_status.json | grep "Last policy update" | sed "s|\"||g" | sed "s|,||g")"
     fi
 
-    if [ -n "$(cat /etc/cp/conf/agent_details.json | grep "hybrid_mode")" ]; then
+    if [ -n "$(cat ${FILESYSTEM_PATH}/conf/agent_details.json | grep "hybrid_mode")" ]; then
         add_policy_file=true
         rs_mgmt_mode_text="Local management"
     else
-        if [ -n "$(cat /etc/cp/conf/settings.json | grep "\"profileManagedMode\":\"management\"")" ]; then
+        if [ -n "$(cat ${FILESYSTEM_PATH}/conf/settings.json | grep "\"profileManagedMode\":\"management\"")" ]; then
             add_policy_file=false
             rs_mgmt_mode_text="Cloud management (Fully managed)"
         else
@@ -968,9 +978,9 @@ run_status() # Initials - rs
 
     if [ "${add_policy_file}" = "true" ]; then
         echo "Policy files: "
-        echo "    /etc/cp/conf/local_policy.yaml"
+        echo "    ${var_policy_file}"
     else
-        policy=`cat /etc/cp/conf/policy.json`
+        policy=`cat ${AGENT_POLICY_PATH}`
         version="version"
         policy_version=${policy#*version}
         policy_version=`echo $policy_version | cut -d"\"" -f3`
@@ -1475,7 +1485,7 @@ set_mode()
 
     rm ${FILESYSTEM_PATH}/${cp_nano_conf_location}/agent_details.json
     rm ${FILESYSTEM_PATH}/${cp_nano_conf_location}/orchestration_status.json
-    echo '{}'>${FILESYSTEM_PATH}/${cp_nano_conf_location}/policy.json
+    echo '{}'>${AGENT_POLICY_PATH}
 
     if [ -f ${FILESYSTEM_PATH}/data/data5.a ]; then
         rm ${FILESYSTEM_PATH}/data/data5.a
@@ -1588,9 +1598,31 @@ stop_service() # Initials - stops
 
 record_command() # Initials - rc
 {
-    touch /var/log/nano_agent/operations.log
-    echo "$(tail -99 /var/log/nano_agent/operations.log)" > /var/log/nano_agent/operations.log
-    echo $(date "+%Y.%m.%d-%H.%M.%S") ": " $0 $@ >> /var/log/nano_agent/operations.log
+    touch ${LOG_FILE_PATH}/nano_agent/operations.log
+    echo "$(tail -99 ${LOG_FILE_PATH}/nano_agent/operations.log)" > ${LOG_FILE_PATH}/nano_agent/operations.log
+    echo $(date "+%Y.%m.%d-%H.%M.%S") ": " $0 $@ >> ${LOG_FILE_PATH}/nano_agent/operations.log
+}
+
+is_apply_policy_needed()
+{
+    if [ "${var_policy_file}" != "${var_new_policy_file}" ]; then
+        var_policy_file=$var_new_policy_file
+        return 0
+    fi
+    local_policy_modification_time=$(stat -c %Y ${var_policy_file})
+    if [ "${local_policy_modification_time}" -eq "${last_local_policy_modification_time}" ] || [ -z ${last_local_policy_modification_time} ]; then
+        return 1
+    fi
+    return 0
+}
+
+is_policy_file_changed()
+{
+    new_modification_time=$(stat -c %Y ${AGENT_POLICY_PATH})
+    if [ "${new_modification_time}" -gt "${var_last_policy_modification_time}" ]; then
+        return 1
+    fi
+    return 0
 }
 
 run() # Initials - r
@@ -1680,35 +1712,63 @@ run() # Initials - r
     elif [ "-vp" = "$1" ] || [ "--view-policy" = "$1" ]; then
         record_command $@
         shift
-        var_policy_file=$1
-        if [ -z ${var_policy_file} ]; then
-            var_policy_file="/etc/cp/conf/local_policy.yaml"
+        if [ ! -z $1 ]; then
+            var_policy_file=$1
         fi
         less ${var_policy_file}
     elif [ "-ep" = "$1" ] || [ "--edit-policy" = "$1" ]; then
         record_command $@
         shift
-        var_policy_file=$1
-        if [ -z ${var_policy_file} ]; then
-            var_policy_file="/etc/cp/conf/local_policy.yaml"
+        if [ ! -z $1 ]; then
+            var_policy_file=$1
         fi
         vi ${var_policy_file}
     elif [ "-ap" = "$1" ] || [ "--apply-policy" = "$1" ]; then
         record_command $@
-        curl_apply_policy=$(${curl_cmd} -S  -w "%{http_code}\n" -m 1 --noproxy "*" --header "Content-Type: application/json" \
-        --request POST --data {} http://127.0.0.1:"$(extract_api_port 'orchestration')"/set-apply-policy 2>&1)
-        while [ /etc/cp/conf/local_policy.yaml -nt /etc/cp/conf/policy.json ]; do
+        shift
+        if [ ! -z $1 ]; then
+            if [ "-d" = "$1" ] || [ "--default-policy" = "$1" ]; then
+                var_new_policy_file="${FILESYSTEM_PATH}/${cp_nano_conf_location}/local_policy.yaml"
+            elif [ -f $1 ]; then
+                var_new_policy_file=$1
+            else
+                echo "Invalid policy path: $1"
+                exit 1
+            fi
+        else
+            var_new_policy_file="${FILESYSTEM_PATH}/${cp_nano_conf_location}/local_policy.yaml"
+        fi
+
+        is_apply_policy_needed
+        if [ $? -eq 1 ]; then
+            echo "Policy didn't changed. Policy path: ${var_policy_file}"
+            exit 0
+        fi
+        echo "Applying new policy. Policy path: ${var_policy_file}"
+        var_last_policy_modification_time=$(stat -c %Y ${AGENT_POLICY_PATH})
+        curl_apply_policy=$(${curl_cmd} -S  -w "%{http_code}\n" -m 1 --noproxy "*" \
+            --header "Content-Type: application/json" --request POST --data '{"policy_path":"'"${var_policy_file}"'"}' \
+            http://127.0.0.1:"$(extract_api_port 'orchestration')"/set-apply-policy 2>&1)
+        is_policy_file_changed
+        is_changed=$?
+        while [ ${is_changed} -eq 0 ]; do
             echo -n "."
             sleep 3
+            is_policy_file_changed
+            is_changed=$?
         done
+
+        var_last_policy_modification_time=$(stat -c %Y ${AGENT_POLICY_PATH})
+        echo "var_policy_file=${var_policy_file}" > ${CUSTOM_POLICY_CONF_FILE}
+        echo "last_local_policy_modification_time=$(stat -c %Y ${var_policy_file})" >> ${CUSTOM_POLICY_CONF_FILE}
         echo "New policy applied."
         exit 1
     elif [ "-lp" = "$1" ] || [ "--list-policies" = "$1" ]; then
         record_command $@
-        echo "/etc/cp/conf/local_policy.yaml"
+        echo $var_policy_file
     elif [ "-vl" = "$1" ] || [ "--view-logs" = "$1" ]; then
         record_command $@
-        less /var/log/nano_agent/cp-nano-http-transaction-handler.log?
+        less $LOG_FILE_PATH/nano_agent/cp-nano-http-transaction-handler.log?
     else
         usage
     fi
@@ -1718,4 +1778,3 @@ load_paths
 run "${@}"
 
 exit 0
-

nodes/orchestration/package/orchestration_package.sh

@@ -179,6 +179,14 @@ verify_proxy_config()
     fi
 }
 
+save_local_policy_config()
+{
+    custom_policy_conf_file=${FILESYSTEM_PATH}/${CONF_PATH}/custom_policy.cfg
+    var_policy_file=${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml
+    echo "var_policy_file=${var_policy_file}" > ${custom_policy_conf_file}
+    echo "last_local_policy_modification_time=$(stat -c %Y ${var_policy_file})" >> ${custom_policy_conf_file}
+}
+
 [ -f /etc/environment ] && . "/etc/environment"
 if [ -n "${CP_ENV_FILESYSTEM}" ] ; then
     FILESYSTEM_PATH=$CP_ENV_FILESYSTEM
@@ -632,6 +640,10 @@ upgrade_conf_if_needed()
             var_orchestration_mode=${previous_mode}
         fi
 
+        if [ ${var_orchestration_mode} = "hybrid_mode" ]; then
+            save_local_policy_config
+        fi
+
         cp_exec "cp -f configuration/orchestration.cfg ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"
         execution_flags="execution_flags=\"--orchestration-mode=${var_orchestration_mode}\""
         echo $execution_flags >> ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg
@@ -667,7 +679,11 @@ copy_orchestration_executable()
     cp_copy open-appsec-cloud-mgmt-k8s ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/open-appsec-cloud-mgmt-k8s
     cp_copy open-appsec-ctl.sh ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/open-appsec-ctl.sh
     if [ $var_hybrid_mode = true ]; then
-        cp_copy local-default-policy.yaml ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml
+        if [ -f /ext/appsec/local_policy.yaml ]; then
+            cp_exec "ln -s /ext/appsec/local_policy.yaml ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml"
+        else
+            cp_copy local-default-policy.yaml ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml
+        fi
     fi
 }
 
@@ -761,6 +777,10 @@ install_orchestration()
         fi
     fi
 
+    if [ -f "$FILESYSTEM_PATH/$CONF_PATH/custom_policy.cfg" ]; then
+        cp_exec "rm -f $FILESYSTEM_PATH/$CONF_PATH/custom_policy.cfg"
+    fi
+
     if command -v ldconfig &>/dev/null; then
         cp_exec "ldconfig" ${FORCE_STDOUT}
     fi
@@ -793,6 +813,11 @@ install_orchestration()
         if ! [ -z "$previous_mode" ]; then
             var_orchestration_mode=${previous_mode}
         fi
+
+        if [ ${var_orchestration_mode} = "hybrid_mode" ]; then
+            save_local_policy_config
+        fi
+
         cp_exec "cp -f configuration/orchestration.cfg ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"
         execution_flags="execution_flags=\"--orchestration-mode=${var_orchestration_mode}\""
         echo $execution_flags >> ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg
@@ -920,6 +945,8 @@ install_orchestration()
     elif [ $var_hybrid_mode = true ]; then
         cp_print "Run Orchestration nano service in hybrid mode" ${FORCE_STDOUT}
         cp_copy certificate/ngen.body.crt ${FILESYSTEM_PATH}/${CERTS_PATH}/fog.pem
+
+        save_local_policy_config
     else
         cp_copy certificate/ngen.body.crt ${FILESYSTEM_PATH}/${CERTS_PATH}/fog.pem
     fi
@@ -1016,19 +1043,19 @@ run_pre_install_test()
 run_post_install_test()
 {
     if [ $var_is_alpine = false ]; then
-        if [ ! -f ${USR_LIB_PATH}/cpnano/libboost_chrono.so.1.78.0 ]; then
+        if [ ! -f ${USR_LIB_PATH}/cpnano/libboost_chrono.so ]; then
             cp_print "Error, libboost_chrono .so file is missing" ${FORCE_STDOUT}
             exit 1
         fi
-        if [ ! -f ${USR_LIB_PATH}/cpnano/libboost_context.so.1.78.0 ]; then
+        if [ ! -f ${USR_LIB_PATH}/cpnano/libboost_context.so ]; then
             cp_print "Error, libboost_context .so file is missing" ${FORCE_STDOUT}
             exit 1
         fi
-        if [ ! -f ${USR_LIB_PATH}/cpnano/libboost_system.so.1.78.0 ]; then
+        if [ ! -f ${USR_LIB_PATH}/cpnano/libboost_system.so ]; then
             cp_print "Error, libboost_system .so file is missing" ${FORCE_STDOUT}
             exit 1
         fi
-        if [ ! -f ${USR_LIB_PATH}/cpnano/libboost_thread.so.1.78.0 ]; then
+        if [ ! -f ${USR_LIB_PATH}/cpnano/libboost_thread.so ]; then
             cp_print "Error, libboost_thread .so file is missing" ${FORCE_STDOUT}
             exit 1
         fi